account_tree

Software Development and Maintenance Plan

Use this Software Development and Maintenance Plan template to document and control all activities related to the development, maintenance, version control, verification, and validation of medical device software in compliance with IEC 62304 and ISO 13485. This template is essential for ensuring traceability, managing software changes, and meeting regulatory requirements throughout the software lifecycle, and should be completed at the start of software development and updated as the software evolves. It helps you organize responsibilities, document key deliverables, and ensure risk management—including SOUP evaluation—for each development stage.
Generate ->

Software Development and Maintenance Plan

ID: Lorem ipsum dolor sit amet.

1. Scope

This document summarizes development and maintenance activities for the software of Consectetur adipiscing elit. The software development and maintenance plan is developed according to the SOP Software Development and IEC 62304:2006 and ISO 13485:2016.

2. Document References

Please see the relevant processes for the following activities:

  • SOP Software Development
  • SOP Problem Resolution
  • SOP Change Management
  • SOP Deployment
  • SOUP List

3. Responsibilities

Responsibilities are generally described for each functional group below related to the software development and maintenance process.

  • Software - Creation of software documentation, software requirements, implementation of code, code reviews, software architecture, software test plan, software testing reports, release notes, list of known anomalies and SOUP lists
  • Quality - Stage review, review of software testing plans, risk management file, checklists, software release, and usability testing
  • Business - Review and approval of user needs, instructions for use, usability testing, and software release

4. Software Description

4.1 Software Architecture

An overview of the software system as well as the software items that make it up are found in the Software Architecture document.

4.2 Software Requirements / Subsystem Requirements

The software requirements are synonymous with subsystem requirements can include the following content as applicable:

  • Functional and capability requirements
  • Software system inputs and outputs
  • Interfaces between the software system and other systems (if other systems exist)
  • Software-driven alarms, warnings, and operator messages
  • Security requirements
  • Usability engineering requirements that are sensitive to human errors and training
  • Data definition and database requirements
  • Installation and acceptance requirements of the delivered medical device software at the operation and maintenance site or sites (if applicable)
  • Requirements related to methods of operation and maintenance
  • User documentation to be developed
  • User maintenance requirements
  • Regulatory requirements
  • Risk control measures (software safety class B and C)

All of these requirements may not be available at the beginning of the software development process and the software requirements list can be updated as the software undergoes normal developmental processes according to SOP Software Development and this plan. Software requirements will be traced through the testing verification and validation process to ensure that they have been met.

5. Software Development Stages

Design stages are described in the SOP Software Development. The documents and review criteria required for each stage are provided in the sections below.

5.1 Stage 1

Activities:

  • User needs specification
  • Software / subsystem requirements specification (design inputs)
  • Establish risk management file
  • Software planning
  • Software Safety Classification

Deliverables:

  • User Needs List
  • Subsystem Requirements List
  • Risk Management Plan
  • Risk Assessment
  • Software Development and Maintenance Plan

5.2 Stage 2

Activities:

  • Verification of software requirements
  • Verification of user needs
  • Software architecture and detailed design (if required)
  • Code creation (Development branch and feature branch)
  • Identification and specification of SOUPs
  • Update of risk management file (as needed)
  • Verification of software architecture
  • Planning of software verification tests

Deliverables:

  • Design Review Checklist
  • Software Architecture
  • Software Detailed Design (if required)
  • Software System Test Plan
  • SOUP List

5.3 Stage 3

Activities:

  • Pull requests of feature branches to development branch (if required)
  • Code review
  • Verification testing of software units and integration
  • Verification testing of software system
  • Identification of bugs and known anomalies
  • Establish usability testing or validation plan

Deliverables

  • Merge feature branch to development branch (if required)
  • Software System Test Report
  • List of Known Anomalies
  • Usability Testing Plan

5.4 Stage 4

Activities:

  • Perform usability testing or validation testing
  • Update risk assessment (if required)
  • Update user needs (if required)

Deliverables:

  • Usability Evaluation Report

5.5 Stage 5

Activities:

  • Merge development branch to release branch
  • Create release notes
  • Check that software is ready for release
  • Update any other regulatory or business dependencies required according to software release checklist
  • Risk management file finalization
  • Merge release branch to main

Deliverables:

  • Software Release Checklist
  • Software Release Notes
  • Other regulatory, quality, and business documentation as needed

6. Configuration Management / Version Control

Software development is controlled through versioning and branching in Sed do eiusmod tempor incididunt.

6.1 Changes

Software versions are named according to Semantic Versioning (SemVer), in a format: MAJOR.MINOR.PATCH. Significant changes may lead to a change of UDI-DI given the significant change in device functionality, while non-significant changes lead to minor version changes and changes of the UDI-PI only (See SOP Certification and Registration). Patches can result from bug fixes (see SOP Change Management). Examples are provided below for an example software version 101.2.3. Software documentation is maintained according to SOP Software Development and SOP Document and Record Control.

6.1.1 Major Change

A major change is a change to software that may significantly impact on the function or safety of the device.

Major changes to the software version may include the following changes as needed:

  • Updates to user needs and/or software requirements (if applicable)
  • Updates to risk management file (if applicable)
  • Updates to software planning, development, and testing procedures according to SOP Software Development (if applicable)
  • Software release checklist
  • Software release notes
  • UDI-DI or UDI-PI updates according to SOP Certification and Registration
  • Notification of the Notified Body of a significant change (As needed according to MDCG 2020-3)
  • Updates to instructional materials including instructions for use (if applicable)

Example version change after major change: Version 101.2.3 -> Version 102.0.0

6.1.2 Minor Change

Changes to software that may have a potential impact the function or safety of the device.

Minor changes to the software version may include the following changes as needed:

  • Updates to user needs and/or software requirements (if applicable)
  • Updates to risk management file (if applicable)
  • Updates to software planning, development, and testing procedures according to SOP Software Development (if applicable)
  • Software release checklist
  • Software release notes
  • Updates to instructional materials including instructions for use (if applicable)

Example version change after minor change: Version 101.2.3 -> Version 101.3.0

6.1.3 Patches

A patch will include changes that likely have a negligible impact on product function and safety and include bug fixes.

Patch changes to the software version may include the following changes as needed:

  • Changes according to SOP Change Management
  • Changes according to SOP Problem Resolution
  • Software release notes

Example version change after patch change: Version 101.2.3 -> Version 101.2.4

6.2 Version Control

To ensure compliance with IEC 62304:2006 using Sed do eiusmod tempor incididunt., the following processes are implemented.

An example schematic for how this could be implemented can be viewed below.

alt text

Once a release has been finalized and has undergone all required steps according to SOP Software Release and this Development and Maintenance Plan, the release branch is merged into the main branch. The commit on the main branch is then tagged with a version number following Semantic Versioning (SemVer) principles.

All changes, including new features, bug fixes, and patches, are documented in the software release notes. This documentation is part of the software configuration management records. Any changes to the software are managed through a formal change control process (SOP Change Management), ensuring traceability and justification for each change.

If there are multiple repositories the requirements for version control and software development and release described in this plan are identical across all repositories. Each repository (if applicable), including all branches and tags, is regularly backed up to ensure that the software configuration can be recovered in case of data loss. All versions of previous branches are archived within Sed do eiusmod tempor incididunt.

7 Software Verification

Software verification will occur during the development stages and prior to the merging of any feature, bugfix, or development branch. Verification activities will be captured within Sed do eiusmod tempor incididunt.

7.1 Code review

Verification of software items and software unit testing will take place as a code review. Code review will be performed by a team member who is not the primary author of the code. Code review will be performed and marked as approved if the code complies with the following criteria:

  • The software code fulfills the software requirements set out in the Software Requirements List for that particular branch
  • The code is appropriate for the function being performed by the software

Code reviewer names, date of code review, and determination of whether the code was acceptable will be maintained within the Sed do eiusmod tempor incididunt.

7.2 Integration Testing

Software integration testing and system software testing will be performed simultaneously according to the software system test plan and report. This will occur during Stage 3 (See Section 5.3). The software system testing will verify the software / subsysten requirements in the current software version to prepare it for release and ensure that all software requirements were met.

Additionally, for each pull request, automated software integration testing can be performed and can be considered as part of the code review process wherein the testing results can be considered acceptable or unacceptable by the judgment of the code reviewer. This is captured during the normal code review process in Section 7.1.

8 Software System Testing

The software system testing will verify the software requirements in the current software version to prepare it for release and ensure that all software requirements were met. The software system test activities are performed during Stage 3 (See Section 5.3) and are captured in the software system test plan and report.

9. Software of Unknown Provenance (SOUP)

SOUP includes software items already developed and generally available and that have not been developed for the purpose of being incorporated into the medical device or software previously developed for which the adequate records of the development processes are not available.

SOUP will be classified into one of three risk classes:

  • Low - SOUP malfunction is unlikely to lead to patient or user harm
  • Medium - SOUP malfunction has the potential to lead to reversible patient or user harm
  • High - SOUP malfunction has the potential to lead to irreversible patient or user harm

Information provided regarding the SOUP list complies with IEC 62304:2006 requirements. SOUP items will be maintained in the SOUP List. SOUP is evaluated using a risk-based approach according to their risk classification.

9.1 SOUP Evaluation

SOUP performance will be evaluated as part of normal verification and validation procedures identified in this plan. SOUP items will be considered alongside software units developed by the manufacturer during unit testing, integration, usability testing, software system testing, and/or regression testing, as needed.

9.2 SOUP Anomalies

SOUP items should be reviewed for known anomalies that may arise during use of the SOUP. Evaluation of known SOUP anomalies prior to use and at recurring times throughout the life of the software product will occur based on the risk assigned to the SOUP item.

Low Risk SOUP

Low risk SOUP item anomalies can be evaluated at the time of first adding the SOUP item to the SOUP list. Known anomalies should be investigated proportional to the importance of the SOUP to software functionality and safety. SOUPs that have no impact on product performance or safety need note be investigated in depth.

Low risk SOUP items should be reviewed for new anomalies every 2 years, as needed.

Medium Risk SOUP

Medium risk SOUP item anomalies can be evaluated at the time of first adding the SOUP item to the SOUP list. Medium risk SOUP items should be reviewed for new anomalies at least annually.

High Risk SOUP

High risk SOUP item anomalies can be evaluated at the time of first adding the SOUP item to the SOUP list. High risk SOUP items should be reviewed for new anomalies at least every 6 months.

10. Software Validation

Validation of software is performed in part by the system testing which allows for validation of system integration. Additionally, the clinical evaluation and usability and human factors engineering testing provide additional validation through the Usability Evaluation Report and the Clinical Evaluation Report.

Medical Device Certification Made Easy.